Google Leaks Identities of Over 280,000 Customers Who Were Paying to Stay Hidden

The records were out in the open since 2013

Google has patched the problem, and hidden the data again—though the door was wide open on the database from 2013 onward. (Photo: Getty) Philippe Huguen/Getty Images

If you want to figure out who owns a website, it’s pretty easy: You simply punch the URL into a “whois” database, and up pops the info of the person who registered that domain. Unless, of course, that person has paid their hosting service extra so that you can’t find out who they are.

On the left is what an entry should look like: nice and hidden. On the right is what they ended up looking like. (Photo: Cisco)

Yesterday, a group of security researchers from Cisco revealed that Google had been slowly de-anonymizing its customers who were buying domain names through Google. Due to a problem with the way Google’s system interacted with the third party registrar service eNom, customers for whom identity protection is a part of the “Google App” services were not, in fact, given that protection.

Of Google’s 305,925 customers registered with eNom, 282,867 have had their records sitting out in the open since 2013, including names, email addresses and phone numbers.

Google gave this statement to the Observer:

A security researcher recently reported a defect via our Vulnerability Rewards Program affecting Google Apps’ integration with the Enom domain registration API. We identified the root cause, made the appropriate fixes, and we’re communicating with affected Apps customers. We apologize for any issues this may have caused.

Since the problem was reported to Google’s vulnerability rewards program, they’ve been reaching out to customers, fixing the bugs, and putting every affects account back under the cloak of anonymity.

Kudos to Craig Williams of the Talos team at Cisco, who is—given the reward amounts for letting Google know about flaws in their services—likely thousands of dollars richer.